ClamAV malware acl condition error

turnersloane

Verified User
Joined
Sep 27, 2006
Messages
57
I've been seeing these type of error messages in /var/log/exim/mainlog since about 5am Eastern USA:

2012-01-16 21:53:15 1Rn06l-00084b-Kf malware acl condition: clamd: unable to connect to UNIX socket /usr/local/sbin/clamd (Permission denied)
2012-01-16 21:53:15 1Rn06l-00084b-Kf H=ipxx-xxx-xxx-xxx.mc.at.cox.net ([10.0.0.5]) [xx.xxx.xxx.xxx] F=<[email protected]> temporarily rejected after DATA

No users on this server can send or receive email while this is occuring. I have not performed any updates since Jan 7, 2012 when I updated this particular server to SpamBlocker v4.1. Everything has been working very good.

Troubleshooting shows that if I comment out this section in exim.conf, everything returns to normal.
## deny if email containing virus or other harmful content
#deny message = This message contains a virus or other harmful content (virus_in_message:$malware_name)
#demime = *
#malware = *

But I reinstalled ClamAv via custombuild, just in case....did not have any build errors, ClamAv binds to port 3310, freshclam is running.

More info:
ClamAV 0.97.3/14316/Mon Jan 16 20:23:04 2012
Exim version 4.67 #1 built 22-Apr-2007 19:51:05
SpamBlockerTechnology* powered exim.conf, Version 4.1

As far as I know everything is up to date. The file /usr/local/sbin/clamd exists and is owned by root, should it have a different owner?

Since nothing *appears* to have changed on the server, I'm baffled. I even tried nearly every intelligent solution found here and on other forums, including checking /tmp/clamd.log file size, reinstalling ClamAv, checking file permissions and paths; all seems to be correct - except for the malware acl error.

I'm open for suggestions as I want to update other servers, but obviously am reluctant to do so for now.

Regards,
Sloane
 
Hello,

You should use either socket, or TCP port. You can not use both of them. So your installation might be miss-configured.

Show your

Code:
# cat /etc/clamd.conf

I've got there in clamd.conf

Code:
TCPSocket 3310

TCPAddr 127.0.0.1

and

Code:
# grep av_scanner exim.conf

I've got there in exim.conf

Code:
av_scanner = clamd:127.0.0.1 3310


p.s. Socket is located by default if I'm not mistaken here /tmp/clamd.socket
 
Thanks, zEitEr, I have everything just like you. I changed exim.conf to this:

#new for 16 Jan 2012
av_scanner = clamd:/usr/local/sbin/clamd

from this:
av_scanner = clamd:127.0.0.1 3310

to see if anything changed. Still had the same acl errors and all emails being sent through the server by valid users from were still being rejected. Yes, I stopped all clamd and freshclam daemons. Even changed their file permissions to ensure that they would not start.

As mentioned in my previous post, clamav was reinstalled/recompiled without errors.

Just now I modified exim.conf back to

av_scanner = clamd:127.0.0.1 3310

and commented out av_scanner = clamd:/usr/local/sbin/clamd

Stopped and started clamd, then stopped and started exim.

As long as the exim.conf has this:
## deny if email containing virus or other harmful content
#deny message = This message contains a virus or other harmful content (virus_in_message:$malware_name)
#demime = *
#malware = *

everything works great.

As soon as I uncomment the deny message, demime and malware, email stops.

This is a bizarre problem. It is obvious that it is something with the malware acl and clamav, but why would it work for 8 days with no problem then suddenly stop?
 
Well heck. I removed everything on this particular server associated with Clamav and freshclam. Every single file. Made sure all daemons were killed. Then installed ClamAv via custombuild and so far everything is functioning as it should. Must have been a Ghost in the Machine.
 
The issue has returned. Based on exim's mainlog, I've determined that clamav goes crazy at 5:03 Eastern time. I noticed the same time on the previous occurences on Jan 16th.

Apparently something in cron.daily triggers the problem, but it doesn't do so everyday, as everything will run fine for 2-3 days or longer.
 
What if logrotate can't reload clamd after log rotation? As soon as you see that error logs, check if clamd is running and compare its PID with that one in pid file. Do the PIDs match?

Check system logs.
 
Just a quick follow up to my original post:

Make sure that all your techs keep good notes on what they do. This was invaluable to solving this issue.

Part of the original issue was that we had originally used the update script from Martynas on this particular server to install ClamAV, and via the technician's notes, ClamAV was later "updated" via Custombuild. No blame to Martynas, it was OUR tech (at least he kept good notes). The two installs of ClamAV apparently caused issues over the past year and the tech did what he thought would fix the problems by commenting out ClamAV from exim.conf, and adding a scan to cron.daily - thus the problems whenever cron would run.

After finding this, we cleaned the box of anything asociated with ClamAV, removed the cron scan, and installed ClamAV via Custombuild. All works quite well now. No blame to anyone here with DA....and thanks to our tech who kept good notes, though he left our company a few months ago.
 
Back
Top